One more approach if you have it would be to utilize any network IDS sensor that you may have on your network. Most Network IDS have the ability to send out TCP Resets to both ends when a certain criteria is met. WIth Snort and Real Secure you can write a rule that will recognize a file name coming in via HTTP, FTP, Etc. and kill that connection. It's probably not something you would want to program in for every *.exe, etc. but it's one more countermeasure for the more frequent things like Klez and Nimda.
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:43:28 PDT